Method and device for proving his identity

ABSTRACT

The invention is related to a method allowing a prover holding a secret key (x) to prove its identity to a verifier and to prove to this verifier that he is within a predetermined distance of this verifier, said method comprising an initialization phase during which:
         the prover picks a first nonce (N p ) and communicates this first nonce to the verifier;   the verifier picks a first random vector (a), a leak function (L μ ), and a second nonce (N v );   the verifier uses said leak function (L μ ) to compute a modified secret (x′) depending on the leak (L μ (x)) of said secret;   the verifier transmits to said prover said leak function and said second nonce;   the prover retrieves said first random vector and said modified secret,   wherein said first random vector and said modified secret are used by said prover for computing responses (r i ) to challenges (c i ).

The present application claims priority from US provisional application U.S. 61/951,255 filed on Mar. 11, 2014, the contents of which is hereby enclosed by reference.

INTRODUCTION

The present invention is related to a distance bounding methods and to devices allowing a user to prove his identity and proximity to a verifier.

RELATED ART

Some important applications such as NFC-based payments or RFID access cards in our daily lives provide services according to the user's location. Relay attacks are serious threats against these applications. For instance, if someone make payment with a card on a malicious device then the device can relay to a fake card which is paying for something more expensive. As wireless technologies become more and more pervasive, being used daily in access control, remote unlocking credit-card payments and beyond, relay attacks also become a growing threat to the social acceptance of these techniques. It seems likely that nearly all wireless devices will eventually have to implement solutions to thwart these types of fraud.

To defeat relay attacks, Brands and Chaum introduced the notion of distance-bounding protocols in S. Brands, D. Chaum, “Distance-Bounding Protocols (Extended Abstract)”, Advances in Cryptology EUROCRYPT '93, Lofthus, Norway, Lecture Notes in Computer Science 765, pp. 344-359, Springer-Verlag, 1994.

Distance bounding is a special problem of position-based cryptography, as described by Chandran et al. in N. Chandran, V. Goyal, R. Moriarty, R. Ostrovsky, “Position Based Cryptography”, Advances in Cryptology CRYPTO '09, Santa Barbara, Calif., U.S.A., Lecture Notes in Computer Science 5677, pp. 391-407, Springer-Verlag, 2009.

Loana Boureanu and Serge Vaudenay describe an implementation in “Challenges in Distance-Bounding”, Security & Privacy, IEEE, 2015/1, Volume 12, Band 1, pages 41-48.

These distance-bounding protocols rely on information being local and incapable of travelling faster than the speed of light. So, in distance-bounding, an RFID reader can assess when participants are close enough because the round-trip communication time must have been short enough. The whole idea of distance-bounding is that a prover, holding a key x, demonstrates that he is close to a verifier (who also knows this key x).

The literature on distance-bounding considers several threat models:

-   -   Distance fraud (DF): a far-away malicious prover tries to         illicitly pass the protocol.     -   Mafia fraud (MF): a man-in-the-middle (MiM) adversary between a         far-away honest prover and a verifier tries to exploit the         prover's insights to make the verifier accept. (This generalizes         relay attacks as not only does this adversary relay, but he may         also modify the messages involved.). This attack is described         in Y. Desmedt, “Major Security Problems with the “Unforgeable”         (Feige-) Fiat-Shamir Proofs of Identity and How to Overcome         Them”, Congress on Computer and Communication Security and         Protection Securicom '88, Paris, France, pp. 147-159, SEDEP         Paris France, 1988.     -   Terrorist fraud (TF): a far-away malicious prover colludes with         an adversary to make the verifier accept the adversary's rounds         on behalf of this far-away prover, in such a way that the         adversary gains no advantage to later pass the protocol on his         own. This attack is described in the previously mentioned         publication of Y. Desmedt.     -   Impersonation fraud: An adversary tries to impersonate the         prover to the verifier. This attack is described in G.         Avoine, A. Tchamkerten, “An Efficient Distance Bounding RFID         Authentication Protocol: Balancing False-Acceptance Rate and         Memory Requirement”, In Information Security ISC '09, Pisa,         Italy, Lecture Notes in ComputerScience 5735, pp. 250-261,         Springer-Verlag, 2009.     -   Distance hijacking [15]: A far-away prover takes advantage of         some honest, active provers (of which one is close) to make the         verifier grant privileges for the far-away prover. This attack         is described in C. J. F. Cremers, K. B. Rasmussen, B.         Schmidt, S. Capkun, “Distance Hijacking Attacks on Distance         Bounding Protocols”, IEEE Symposium on Security and Privacy S&P         '12, San Francisco, Calif., USA, pp. 113-127, IEEE Computer         Society, 2012.

S. Vaudenay, “On Modeling Terrorist Frauds”, In Provable Security ProvSec '13, Melaka, Malaysia, Lecture Notes in Computer Science 8209, pp. 1-20, Springer-Verlag, 2013.17, proposed a formal model of the attacks and protocols (herein called the BMV model) including the notion of time. A more complete model is described in Ioana Boureanu, Aikaterini Mitrokotsa, Serge Vaudenay, “Practical and provably secure distance-bounding”, 2015, Journal of Computer Security, IOS Press, Available as IACR Eprint 2013/465 report, 2013, http://eprint.iacr.org/2013/465.pdf. Based on all these models, the paper factors all the previously enumerated common frauds into three possible threats:

-   -   Distance fraud. This is the classical notion, but concurrent         runs with many participants is additionally considered. I.e., it         includes other possible provers (with other secrets) and         verifiers. Consequently, this generalized distance fraud also         includes distance hijacking.     -   Man-in-the-middle. This formalization considers an adversary         working in two phases. During a learning phase, this adversary         can interact with many honest provers and verifiers. Then, the         attack phase contains a far away honest prover of given ID and         possibly many other honest provers and other verifiers. The goal         of the adversary is to make the verifier accept the proof with         ID. Clearly, this generalizes mafia fraud (capturing relay         attacks) and includes impersonation fraud.     -   Collusion fraud. This formalization considers a far-away prover         holding x who helps an adversary to make the verifier accept.         This might be in the presence of many other honest participants.         However, there should be no man-in-the-middle attack stemming         from this malicious prover. I.e., one should not extract from         this prover any advantage to (later) run a man-in-the-middle         attack.

In S. Vaudenay, “On Modeling Terrorist Frauds”, Provable Security ProvSec '13, Melaka, Malaysia, Lecture Notes in Computer Science 8209, pp. 1-20, Springer-Verlag, 2013.17, the last threat model is replaced by a notion coming from interactive proofs:

-   -   Soundness. For all experiment with a verifier ν, there exists an         extractor such that the following holds: if this extractor is         given as input several views of all participants which were         close to ν in several executions and which made him accept         therein, then this extractor reconstructs the secret x. This was         further shown to generalize collusion-fraud resistance.

There exist many distance-bounding protocols, but nearly all are broken in some way. For instance, the protocols from G. P. Hancke, M. G. Kuhn, “An RFID Distance Bounding Protocol” Conference on Security and Privacy for Emerging Areas in Communications Networks SecureComm '05, Athens, Greece, pp. 67-73, IEEE, 2005, as well as the protocol from C. H. Kim, G. Avoine, “RFID Distance Bounding Protocol with Mixed Challenges to Prevent Relay Attacks”, Cryptology and Network Security, 8th International Conference CANS 2009, Kanazawa, Japan, Lecture Notes in Computer Science 5888, pp. 119-133, Springer-Verlag, 2009, or the protocol from V. Nikov, M. Vauclair, “Yet Another Secure Distance-Bounding Protocol”, Proceedings of SECRYPT '08, Porto, Portugal, pp. 218-221, INSTICC Press, 2008, are vulnerable to Terrorist Fraud TF. Man-in-the middle attacks are also effective against many distance-bounding protocols, for example if a man-in-the-middle is placed at an authorised distance from the verifier.

In particular, G. P. Hancke, “Distance Bounding for RFID: Effectiveness of Terrorist Fraud”, Conference on RFID-Technologies and Applications RFID-TA '12, Nice, France, pp. 91-96, IEEE, 2012, observed that noisy-resilience in nearly all protocols allowed to mount a Terrorist Fraud Attack. This is also valid for the SwissKnife protocol described by C. H. Kim, G. Avoine, F. Koeune, F.-X. Standaert, O. Pereira. The Swiss-Knife RFID Distance Bounding Protocol. In Information Security and Cryptology ICISC '08, Seoul, Korea, Lecture Notes in Computer Science 5461, pp. 98-115, Springer-Verlag, 2009.

So, the problem of making provably secure distance bounding is of utmost importance.

We will now describe the SKI protocol and the Fischlin-Onete (FO) protocol of the prior art. Those two protocols provide an all-encompassing proven security, i.e., they protect against all the above threats.

The SKI Protocol

The SKI protocol is illustrated on FIG. 5. It is described in Boureanu, A. Mitrokotsa, S. Vaudenay, “Secure & Lightweight Distance-Bounding”, Lightweight Cryptography for Security and Privacy LightSec '13, Gebze, Turkey, Lecture Notes in Computer Science 8162, pp. 97-113, Springer-Verlag, 2013; in I. Boureanu, A. Mitrokotsa, S. Vaudenay, “Practical & Provably Secure Distance-Bounding” available as IACR Eprint 2013/465 report, 2013. http://eprint.iacr.org/2013/465.pdf; in I. Boureanu, A. Mitrokotsa, S. Vaudenay, “Towards Secure Distance Bounding”, “Fast Software Encryption 13”, Singapore, Lecture Notes in Computer Science 8424, pp. 55-67, Springer-Verlag, 2013, among others.

In the SKI protocol, a secret x∈{0,1}^(s) is considered, given a security parameter s. The secret is shared between the prover p and the verifier v. The function f must be a PRF with circular-PRF security. It uses some other parameters based on s: the number of rounds n, a threshold T, and the nonce length l_(nonce).

Given a vector μ, the linear function L_(μ) is defined by

L _(μ)(x)=(μ·x, . . . , μ·x)

Namely, all bits are set to the dot product between μ and x. With x′=Lμ(x), Hancke's terrorist fraud [20] would reveal a majority of the bits of x′ thus leaking L_(μ)(x). Since L_(μ) is not chosen by the prover p, by repeating the attack, we can collect enough information about x to reconstruct x. So, Hancke's terrorist fraud is prevented.

There exists several variants of SKI with different properties. Namely, secret sharing schemes other than the one in FIG. 7 can be considered. Other leakage schemes L_(μ) can also be considered.

The FO Protocol

The FO protocol is described in M. Fischlin, C. Onete, “Terrorism in Distance Bounding: Modelling Terrorist-Fraud Resistance”, Applied Cryptography and Network Security ACNS '13, Banff AB, Canada, Lecture Notes in Computer Science 7954, pp. 414-431, Springer-Verlag, 2013. It is also depicted The FO protocol is depicted on FIG. 6.

The protocol builds up on the Swiss-Knife protocol and uses a special escape strategy b=1. Normal users shall only use b=0. For b=1, the verifier expect a simple echo on challenges (i.e., r_(i)=c_(i)), does not verify the tag t, and has a probabilistic behavior: it accepts with probability p_(e) where e is the Hamming distance between I and the secret y.

Theorem 19

(DF-resistance of FO) The FO scheme α-resists to distance frauds, for

${\alpha = {{Tail}\left( {w,{\tau - n + w},\frac{1}{2}} \right)}},$

where w is the Hamming weight of y. On average over y, this is

$\alpha = {{{Tail}\left( {n,\tau,\frac{3}{4}} \right)}.}$

For

${\frac{\tau}{n} > {\frac{3}{4} + {cte}}},$

this is negligible. The FO protocol offers some form of terrorist-fraud, but, as the SKI protocol, requires a high number of rounds to be resistant.

BRIEF SUMMARY OF THE INVENTION

It is an aim of the present invention to provide another method for offering provably secure distance bounding.

It is another aim of the present invention to provide a method offering provably secure distance bounding which is more efficient, i.e., which requires less rounds and/or less data to be exchanged for offering the same reliability at a given level of noise.

According to the invention, these aims are achieved by means of a method allowing a prover (p) holding a secret key (x) to prove its identity to a verifier (v) and to prove to this verifier that he is within a predetermined distance of this verifier, said method comprising an initialization phase and a distance bounding phase, said initialization phase comprising the following steps:

the prover (p) picks a first nonce (N_(p)) and communicates this first nonce to the verifier;

the verifier (v) picks a first random vector (a), a leak function (L_(μ)), and a second nonce (N_(v));

the verifier uses said leak function (L_(μ)) to compute a modified secret (x′) depending on the leak (L_(μ)(x)) of said secret (x);

the verifier transmits to said prover said leak function (L_(μ)) and said second nonce (N_(v));

the prover retrieves said first random vector (a) and said modified secret (x′),

wherein said first random vector (a) and said modified secret (x′) are used by said prover during said distance bounding phase for computing responses (r_(i)) to challenges (c_(i)) sent by said verifier to said prover.

This method is a distance-bounding (DB) protocol. It behaves like a traditional interactive proof system as it really is a proof of proximity. In particular, it satisfies: 1. completeness (i.e., an honest prover close to the verifier will certainly pass the protocol); 2. soundness (i.e., if the verifier accepts the protocol, then we could extract from close-by participants the information to define a successful prover); 3. security (i.e., no participant shall be able to extract some information from the honest prover to make the verifier accept).

The different parameters (nonces, vectors, etc) are not necessarily transmitted in clear form; they may be transformed or embedded in matrices or vectors.

For example, in one embodiment, the verifier may further compute a computed vector (M) as a function of said first vector (a), said first nonce (N_(p)), said second nonce (N_(v)), and said leak function (L_(μ)), and transmit said computed vector (M) transmits to said prover. The prover then receives from said verifier the computed vector (M). The prover may use the computed vector to retrieve said random vector.

In a preferred embodiment, the method further comprises a challenge verification phase after said distance bounding phase,

wherein said prover sends to said verifier during said verification phase a parameter (t) that depends on challenges (c′_(i)) received by said prover during said distance bounding phase,

wherein said verifier uses said parameter (t) to determine during said verification phase whether the challenges (c′_(i)) received by said prover during said distance bounding phase correspond to the challenges (c_(i)) sent to said prover.

The challenges (c_(i)) may be non binary.

The method may comprise a step during said initialization phase during which said verifier picks a second random vector (b) with a Hamming weight of n/2, where n is the number of challenges sent during said distance bounding phase,

wherein said modified secret (x′) is the addition of the leak of said secret (L_(μ)(x)) and of the second random vector (b);

wherein said verifier transmits said second random vector (b) to said prover.

The prover p may be a device or apparatus comprising software allowing him to prove its identity. For example, the prover may be embedded as a wireless smart card, or as a NFC device, or as an electronic access control device.

The verifier v may be a device or apparatus comprising software allowing him to verify a claimed identity and distance of a prover. For example, the verifier may be embedded as a computer, point-of-sale-equipment, server, smartphone etc.

As seen from a prover p, an embodiment of the method of the present invention comprises an initialization phase and a distance bounding phase, said initialization phase comprising the following steps:

the prover picks a first nonce (N_(p)) and communicates this first nonce to the verifier;

the prover receives from said verifier a leak function (L_(μ)) and a second nonce (N_(v));

the prover determines a first random vector (a) and a modified secret (x′) based on the received the first nonce, on the second nonce, on the leak function, and on the secret key (X);

said prover uses said first random vector (a) and said modified secret (x′) during a distance bounding phase for computing responses (r_(i)) to challenges (c_(i)) received from said verifier.

The method may further comprise a challenge verification phase after said distance bounding phase. The prover may send to said verifier during said verification phase a parameter (t) that depends on challenges (c′_(i)) received by said prover during said distance bounding phase.

As seen from a verifier v, an embodiment of the method of the present invention that can be used by a verifier holding a secret key (x) to verify the identity of a prover and whether this prover is within a predetermined distance of this prover may comprise an initialization phase and a distance bounding phase, said initialization phase comprising the following steps:

the verifier receives a first nonce (N_(p)) transmitted by a prover;

the verifier picks a first random vector (a), a leak function (L_(μ)), and a second nonce (N_(v));

the verifier uses said leak function (L_(μ)) to compute a modified secret (x′) depending on the leak (L_(μ)(x)) of said secret (x);

the verifier transmits to said prover said leak function (L_(μ)) and said second nonce (N_(v));

the verifier send challenges (c_(i)) to said prover;

the verifier verifies a response (r_(i)) to said challenge received from said prover;

the verifier verifies the delay (t_(i)) between a challenge and a response (r_(i)) to said challenge.

The method may further comprise a challenge verification phase after said distance bounding phase,

wherein said receiver receives from said verifier during said verification phase a parameter (t) that depends on challenges (c′_(i)) received by said prover during said distance bounding phase,

wherein said verifier uses said parameter (t) to determine during said verification phase whether the challenges (c′_(i)) received by said prover during said distance bounding phase correspond to the challenges (c_(i)) sent to said prover.

The method may further comprise a step during said initialization phase during which said verifier picks a second random vector (b) with a Hamming weight of n/2 where n is the number of challenges sent during said distance bounding phase, wherein said modified secret (x′) further depends on said second random vector (b);

wherein said verifier transmits said second random vector (b) to said prover.

In one aspect, the invention is also related to an electronic device which could be used as prover and comprising:

a storage for holding a secret key (x)

means for picking a first nonce (N_(p)) and for communicating this first nonce to a verifier;

means for receiving from said verifier a leak function (L_(μ)) and a second nonce (N_(v));

means for retrieving a first random vector (a) and a modified secret (x′) based on the first nonce, on the second nonce, on the leak function, and on the secret key (X); means for receiving from said verifier a sequence of challenges (c_(i));

means for determining responses (r_(i)) to said challenges based on said first nonce (a) and on said modified secret (x′_(i)).

The device p may further comprise means for computing and transmitting to said verifier during a verification phase a parameter (t) that depends on challenges (c′_(i)) received by said prover during said distance bounding phase.

The device p may be a smart card, a NFC device or an electronic access control device.

According to one aspect, the invention is related to an electronic device v which could be used as verifier and comprising:

means for receiving a first nonce from a verifier;

means for picking a first random vector (a), a leak function (L_(μ)), and a second nonce (N_(v));

means using said leak function (L_(μ)) to compute a modified secret (x′) depending on the leak (L_(μ)(x)) of said secret (x);

means for transmitting to said prover said leak function (L_(μ)) and said second nonce (N_(v));

means for sending challenges (c_(i)) to said prover;

means for verifying responses (r_(i)) to said challenges from said prover;

means for verifying a delay (t_(i)) between a challenge and a corresponding response (r_(i)) received from the prover.

The device of may further comprise means using a parameter (t) received from said prover to determine during a verification phase whether the challenges (c′_(i)) received by said prover during said distance bounding phase correspond to the challenges (c_(i)) sent to said prover.

The device may further comprising means for picking a second random vector (b) with a Hamming weight of n/2 where n is the number of challenges sent during said distance bounding phase,

wherein said modified secret (x′) is the addition of the leak of said secret (L_(μ)(x)) and of the second random vector (b);

wherein said verifier transmits said second random vector (b) to said prover.

According to one aspect, the invention is also related to a system comprising a device p that can be used as a prover and a device v that can be used as a verifier.

According to one aspect, the invention is also related to a tangible computer-program product comprising a computer-readable medium comprising codes executable by at least one processing circuit for causing said processing circuit to carry out the above described method.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be better understood with the aid of the description of an embodiment given by way of example and illustrated by the figures, in which:

FIG. 1 illustrates the DBopt bounding protocol;

FIG. 2 illustrates the DB1 bounding protocol;

FIG. 3 illustrates the DB2 bounding protocol;

FIG. 4 illustrates the DBopt bounding protocol.

FIG. 5 illustrates the SKI protocol of the prior art.

FIG. 6 illustrates the FO protocol of the prior art.

DETAILED DESCRIPTION OF POSSIBLE EMBODIMENTS OF THE INVENTION

For our security proofs, we will now first introduce a new complete set of security definitions for distance-bounding, capturing the previous notions, but being in line with the established theory behind interactive proofs. In particular, we will revisit the definition of mafia fraud/man-in-the-middle and the definition of terrorist fraud/collusion fraud.

Useful Bounds for Noisy Communications

To assert security in noisy communications, we will make use of the tail of the binomial distribution:

${{Tail}\left( {n \cdot \tau \cdot \rho} \right)} = {\sum\limits_{i = \tau}^{n}{\begin{pmatrix} n \\ i \end{pmatrix}{{\rho^{i}\left( {1 - \rho} \right)}^{n - i}.}}}$

For any ∈,n ,τ,ρ such that

${\frac{\tau}{n} < {\rho - ɛ}},$

we have Tail(n,τ,ρ)<1−e^(−2∈) ² ^(n). For

${\frac{\tau}{n} < {\rho - ɛ}},$

we have Tail(n,τ,ρ)<e^(−2∈) ² ^(n).

Revised DB Security Model and Proofs

we now refine the security definitions and other tools from the above described BMV security model. In this section, we also discuss the links with the original notions.

In this example, we concentrate on distance-bounding protocols based on symmetric cryptography (which is the overwhelmingly prevalent approach in DB. The method could also be applied to public-key distance-bounding, using asymmetric cryptography.

Definition 1

A (symmetric) distance-bounding protocol is a tuple (

,P,V,B), constructed of the following: a key domain

; a two-party probabilistic polynomial-time (PPT) protocol (P(x),V(x)), where P is the proving algorithm, V is the verifying algorithm, and x is taken from

; a distance bound B. At the end of the protocol, the verifier V(x) sends a final message Out_(V). This output denotes that the verifier accepts (Out_(V)=1) or (Out_(V)=0).

In a DB protocol, apart from the participants prover and verifier, there may exist adversaries. Each participant has instances and each instance has its own location. P denotes the set of instances of the prover, V denotes the set of the instances of the verifier and A denotes the set of the instances of the other participants.

Informally, a distance-bounding protocol is complete if executing P(x)

V(x) on locations within a distance bounded by B makes V(x) accept with overwhelming probability. The formalism is straightforward with the settings below.

We can compare the protocols of the invention to any DB protocol that follows what we call the common structure.

Definition 2. (Common Structure)

A DB protocol with the common structure based on parameters (n,τ,num_(c),num_(r)) has some initialization and verification phases which do not depend on communication times. The verification phase can be interactive or not. These phases are separated by n rounds of timed challenge/response exchanges. This is called the distance bounding phase. A response is on time if the elapsed time between sending the challenge and receiving the response is at most 2B. Provers don't measure time Provers have no clock. They are in a waiting state to receive the challenge. Challenges and responses are in sets of cardinality num_(c) and num_(r), respectively.

When the protocol follows the specified algorithms but messages during the distance bounding phase can be corrupted during transmission, we say that the protocol is τ-complete if the verifier accepts if and only if at least τ rounds have a correct and on-time response.

One can easily see that nearly all distance-bounding protocols in the literature fit this definition.

In practice, when the timed phase is subject to noise, we assume that there is a probability of p_(noise) that one round of challenge/response is corrupted. The probability that an honest prover, close to the verifier, passes the protocol is thus Tail(n,τ,1−p_(noise)). So, with

$\frac{\tau}{n} < {1 - p_{noise}}$

with a constant gap, the probability to fail is negligible, due to the Chernoff-Hoeffding bound.

Participants, Instances, Setup and Locations.

In a DB protocol, participants can be a prover p, a verifier v, or adversaries. The prover and the verifier receive a key x which is randomly selected from the key space. We adopt a static adversarial model: i.e., at the beginning of the experiment, it is decided whether the prover is malicious or not. Participants have several instances. An instance has a location. It corresponds to the execution of a protocol during one session.

A honest prover runs instances of the algorithm P denoted by P(x). An instance of a malicious prover runs an arbitrary algorithm denoted by P*(x). P denotes the set of instances of the prover.

-   -   The verifier is honest without loss of generality (A “malicious         verifier” running an algorithm V*(x) can be seen as a malicious         prover running V*(x)). He runs instances of the algorithm V         denoted by V(x). V denotes the set of instances of the verifier.     -   Other participants are (without loss of generality) malicious         and may run whatever algorithm, but with no initialized key. The         set of such malicious participants is denoted A. By contrast, a         designated, one such instance is denoted         .     -   Locations are elements of a metric space.

Why a Single Identity?

We will use a definition using a single identity, without loss of generality. This is because provers or verifiers running the protocol with other identities (and keys independent of x) could be considered as elements of A.

Definition 3. (DB Experiment)

An experiment exp for a distance-bounding protocol (

,P, V, B) is a setting (P,V,A) with several instances of participants, at some locations, set up as above, and running an overall PPT sequence.

In the above definition, the notion of experiment implies simultaneously several different entities: participants, physical locations, algorithms to be run by these participants and corruption states. As such, when used inside further definitions, the notion of experiment will implicitly or explicitly, upon the case, quantify over these entities.

We further assume that communicating from a location to another takes time equal to the distance. Indeed, no one can violate the fact that communication is limited by the speed of light. Adversaries can intercept some messages and replace them by others, but must adhere to the fact that computation is local.

Therefore, it could be accepted as a Lemma that a close-by participant cannot get online help from far away to answer correctly and in time to the challenge c.

Definition 5 Distinguished Experiment

We denote by exp(

) an experiment in which we fix a verifier instance

=V(x) from V, which we call distinguished verifier. Participants which are within a distance of at most B from a distinguished verifier ν are called close by participants. Others are called far-away participants.

Participants can move during the experiment, but not faster than the transmission of information. For simplicity, we assume that far-away participants remain far away during the experiment.

Definition 6 (α-Resistance to Distance Fraud)

We say that a distance-bounding protocol α-resists to distance fraud if for any distinguished experiment exp(ν) where there is no participant close to ν, the probability that ν accepts is bounded by α.

This definition is simplified and does not capture the notion of distance hijacking; therein, a far-away malicious P*(x) can make ν accept by taking advantage of several honest provers which do not hold x but are close to ν. Nonetheless, distance hijacking and other extensions of classical frauds will be captured by the notion of soundness, which we introduce below.

Theorem 7.

A DB protocol following the common structure with parameters (n, τ,num_(c),num_(r)) cannot α-resist to distance fraud for α lower than

${{Tail}\left( {n,\tau,{\max \left( {\frac{1}{{num}_{c}},\frac{1}{{num}_{r}}} \right)}} \right)}.$

Proof. We construct a DF following the early-reply strategy: a malicious prover guesses with probability

$\frac{1}{{num}_{c}}$

the challenge cg before it is emitted, and then he sends the response so that it arrives on time. The rest of the protocol is correctly simulated (with delay) after receiving the challenges. An incorrect guess would look like a round which probability

${{Tail}\left( {n,\tau,\frac{1}{{num}_{c}}} \right)}.$

We can have a similar attack guessing the response r and succeeding with probability

${{Tail}\left( {n,\tau,\frac{1}{{num}_{r}}} \right)}.$

While the above definition protects verifiers against malicious provers, we need an extra notion to protect the honest prover against men-in-the-middle. This is as follows.

Definition 8 (β-Secure Distance-Bounding Protocol)

We say that a distance-bounding protocol is if for any distinguished experiment exp(

) where the prover is honest, and the prover instances are all far-away from

, the probability that

accepts is bounded by β.

This definition formalizes security without a learning phase.

Intuitively, this notion protects honest provers from identity theft. It implies that x cannot be extracted by a malicious participant; this is along the same lines as in zero-knowledge interactive protocols. This notion of security also captures resistance to relay attacks, mafia fraud, and man-in-the-middle attacks. The advantage of Def. 8 over the resistance to man-in-the-middle attacks, as it was defined in [7,9, Def. 4], is that we no longer need to formalize a learning phase, although we can easily show we capture these notions as well. Our definition is therefore simpler.

Theorem 9.

A DB protocol following the common structure with par meters (n, τ, num_(c),num_(r)) cannot be β-secure for β lower than

${{Tail}\left( {n,\tau,{\max \left( {\frac{1}{{num}_{c}},\frac{1}{{num}_{r}}} \right)}} \right)} \cdot 1$

¹ Same remark about [33] as in Th. 7.

Proof.

We consider

and a far-away instance of the prover P, and a close-by MiM

. In the initialization phase and the verification phase,

passively relays messages between ν and P. During the challenge phase, and in the pre-ask strategy,

guesses the challenge before it is released and asks for the response to P on time so that he can later on answer to ν. Clearly, the attack succeeds with probability

${{Tail}\left( {n,\tau,\frac{1}{{num}_{c}}} \right)}.$

We can have a similar attack with a post-ask strategy where

guesses the response at the same time he forwards the challenge to P. This succeeds with probability

${{Tail}\left( {n,\tau,\frac{1}{{num}_{r}}} \right)}.$

Definition 10 ((γ,γ′,m)-soundnes) We say that a distance-bounding protocol is (γ,γ′,m)-sound if for any distinguished experiment exp(ν) in which ν accepts with probability at least γ, there exists a PPT algorithm ∈ called extractor, with the following property. By ∈ running experiment exp(ν) several times, in some executions denoted exp_(i)(ν), i=1, . . . , M, for M of expected value bounded by m, we have that

Pr[Out_(V) =I:

(View_(I) . . . View_(M))

V|Succ_(I) . . . Succ_(M)]≧γ.

where View_(i) denotes the view of all close-by participants (except ν) and the transcript seen by ν in the run exp_(i)(V′), and Succ is the event that ν accepts in the run exp_(i)(V).

Thus, in this approach, distance fraud does not capture distance hijacking anymore, distance hijacking being now captured by soundness. This makes proofs simpler. To this end, we extend the definition of soundness in such a way that the extraction of the secret is no longer necessary.

In other words, the extractor impersonates the prover to V. In more details, this means that having

accept in run exp_(i)(

) implies the following: a piece of x was given to the close-by participants and it is stored in View_(i), and that m such independent pieces, on average, could allow ∈ to impersonate P(x) to

. This notion is pretty strong as it could offer a guaranty against distance hijacking: a prover making such attack would implicitly leak his credentials.

New Highly Efficient, Symmetric Distance-Bounding Protocols

We will now describe as non limitative examples three distance-bounding protocols or methods, called DBopt. It includes DB1, DB2, and DB3. Those embodiments of the invention are build up on the above described SKI and FO but outperform both the SKI and the FO protocols.

For instance, to offer a false acceptance rate of under 1 and false rejection rate of under 1%, at a noise level of 5% during the rapid bit-exchange, DB1 (with parameter q=3) requires 14/14/54 rounds for resistance to distance fraud/mafia fraud/terrorist fraud, respectively. For the same performance, SKI and FO require 84/48/181 and 84/84/?rounds, respectively. So, DB1 represents a substantial improvement in terms of efficiency, whilst maintaining provable security.

When considering optimality amongst protocols requiring at least τ out of n correct rounds, no clock for the prover p, and a challenge/response set of size q, we show security as follows:

DF- MF- TF- resistance resistance resistance DB1 (q > 2) secure, optimal secure, optimal secure DB2 (q = 2) secure, secure, optimal secure suboptimal DB3 (q = 2) secure, optimal secure, optimal insecure

Indeed, we will see herein that DB1 is in fact optimal in terms of distance-fraud resistance and security with non-binary challenges. The DB2 and DB3 variants are motivated by the use of binary challenges, which is customary in distance-bounding designs. Whilst DB2 is suboptimal, it still performs well, almost always, i.e., better than SKI and FO. DB3 is optimal but not TF-resistant.

DBopt

The DBopt protocol is illustrated on FIG. 1.

We use a security parameter s (the length of the secret x, i.e., x∈K=Z₂ ^(s)) and the following parameters based on s: the number of rounds n, the length l_(tag) of tag, a threshold τ, the nonce length l_(nonce), and a constant q which is a prime power, e.g., q=2, q=3, or q=4. DBopt follows the common structure with parameters n, τ, and num_(c)=num_(r)=q.

We assume L_(μ)(x)=(μ(x), . . . , ρ(x)) for some function x

μ(x), but ρ is not necessarily linear. Concretely, ρ is a vector in Z₂ ^(s) and map a fixed injection from Z₂ to GF(q). Hence, μ(x)=map(μ·x) maps a bitstring x to a GF(q)-representation of the bit obtained by the scalar product μ·x. We let

denote the set of all such possible L_(μ) mappings (map being fixed). The function f_(x) maps to different codomains, depending on its inputs: given two nonces N_(P) and N_(V), L_(μ)∈

, and b, c∈GF(q)^(n), f_(x)(N_(P),N_(V),L_(μ),b)∈GF(q)_(n) and f_(x)(N_(P),N_(V),L_(μ),b,c)∈GF(q)^(l) ^(tag) .

During the initialization, the prover p and the verifier v exchange some nonces N_(P), N_(V), some L_(μ)∈

, and a vector b. The vector b could be fixed in the protocol, but is subject to some constraints as detailed below. V and P compute a=f_(x)(N_(P),N_(V),L_(μ),b) and x′=L_(μ)(x). In the distance bounding phase, the response function is a linear function r_(i)=φ_(c) _(i) (a_(i),x′_(i),b_(i)) defined by the challenge c_(i). The verification checks that the participants have seen the same challenges (based on the tag computed by tag=f_(x)(N_(P),N_(V),L_(μ),b,c)), counts the number of rounds with a correct and timely response, and accepts if there are at least τ of them.

Clearly, the DBopt family is quite open to specific choices for q, map, b, and φ_(c). We propose the instances DB1, DB2, and DB3. There are some specificities in each protocol which are summarized in the following table:

protocoL q map b φ_(c) _(i) DB1 (q > 2) map(u) ≠ 0 No b used φ_(c) _(i) (a_(i), x′_(i), b_(i)) = a_(i) + c_(i)x′_(i) DB2 (q = 2) map(u) = u secure, φ_(c) _(i) (a_(i), x′_(i), b_(i)) = a_(i) + optimal c_(i)x′_(i) + c_(i)b_(i) DB3 (q ≧ 2) No map secure, φ_(c) _(i) (a_(i), x′_(i), b_(i)) = a_(i) + c_(i)b_(i) used optimal

Other instances could be considered.

Specifically, DB3 is the simplest protocol and is optimal, but it offers no soundness. DB2 works with binary challenges and responses, but it is not optimal. DB1 is optimal but needs q≧3 since it requires that map is injective from Z₂ to GF(q)*. These protocols are depicted on FIG. 2-4.

DB1 uses a security parameter s (the secret length) and the following parameters based on s: the number of rounds n, the bitlength n0 of the tag t, a threshold t, the nonce length k, and a constant q>2 which is a prime power, e.g. q=3 or q=4.

A set of parameters Lμ, N_(v), a is picked by the verifier v during an initialization or distance bounding phase. Similarly, a parameter N_(p) is picked by the prover p during the initialization phase. Both share a secret x. During the distance bounding phase, a set of values ci (challenges) is picked by the verifier. A timer is started and used by the verifier for measuring the time needed to receive a response r_(i) to a challenge c_(i). A response is refused if it is not the expected one or if it received after a predetermined delay, corresponding to the predetermined distance bound.

As in SKI, we assume Lμ(x)=(μ(x); _(— — —); μ(x)) for some function u, but we now assume that μ maps a secret x to an element of GF(q)_. (We need at least two elements in this set, this is why we need q>2.)

Like in SKI, the leak vector x′ is fundamental for soundness: the vector x′ encodes μ·x, which leaks if the prover reveals his response function. The protocol DB1 adds a verification step, which allows to use better response functions: thanks to the above extra verification, the response function needs no longer resist men-in-the-middle playing with different challenges on the sides of P and V.

In one embodiment of the DB1, DB2 or DB3 protocol, the sending time of the challenges c_(i) may be randomized, in order to prevent an attack by trying to guess replies and send them in advance. For example, each challenge ci may be sent at a random moment within a given interval of, for example, one microsecond.

The DB1 method thus includes an initialization phase comprising the following steps:

the prover p picks a first nonce (N_(p)) and communicates this first nonce to the verifier;

the verifier v picks a first random vector (a), a leak function (L_(μ)), and a second nonce (N_(v));

the verifier transmits to said prover said leak function (L_(μ)), and said second nonce (N_(v));

the verifier uses said leak function (L_(μ)) to compute a modified secret (x′) depending on the leak (L_(μ)(x)) of said secret (x);

the prover retrieves said first random vector (a) and said modified secret (x′).

During a distance bounding phase, the first random vector (a) and the modified secret (x′) are used by the prover for computing a response (r_(i)) to each of the i challenges (c_(i)) sent by said verifier to said prover.

During a verification phase, the verifier verifies whether the reply r_(i) to each of the i challenges c_(i) correspond to this challenge, taking into account the first random vector a and the modified vector. The verifier also verifies if the delay timer_(i) for receiving each reply is correct, i.e. under a predefined threshold. In a preferred embodiment, a value t is computed by the prover p as a function fx of N_(P), N_(V), L_(μ) and of the received vector c′, and sent to the verifier; this value is compared with a value t computed on the verifier side. The prover is identified if t is correct and if all or at least a sufficient number of r_(i) and t_(i) are correct.

One particularity is that DB1 mandates x′_(i)≠0 so cannot accommodate q=2. If we want q=2, we need for DF-resistance to make sure that r_(i) really depends on c_(i), by introducing the vector b in which exactly half of the coordinates are 0. DB2 can be optimized into DB3 by using r_(i)=a_(i)+c_(i)(so x′ is unused and b_(i)=1 for all i) by sacrificing soundness.

DB1 is optimal in terms of distance-fraud resistance and security with non-binary challenges. A variant to DB1, called DB2, is illustrated on FIG. 3. This variant is motivated in following a trend in distance-bounding: that of using binary challenges. Whilst DB2 is not as efficient as DB1, it is performs well, almost always, better than SKI and FO.

DB2 still uses a security parameter s (the secret length) and the following parameters based on s: the number of rounds n, the bitlength n0 of the tag t, a threshold t, and the nonce length k. The function p now maps {0;1}^(s) to {0;1}. It is required that the random vector b in the DB2 protocol has a Hamming weight of n/2 to protect against distance fraud. The other setps are described and illustrated on FIG. 3.

In the DB1 to DB3 methods, the prover and the verifier are typically electronic devices or equipments. For example, the prover and the verifier could be any electronic equipment with a wireless interface for establishing a wireless communication with a wireless equipment in the vicinity.

The method of the present invention may be used to secure communications between various devices and equipments, including short distance communications between a prover p and a verifier v close to each other. For example, the method is suitable for securing communications over a distance of less than 10 meters, without limitation. The prover and verifier may communicate with each other via one or more wireless communication links that are based on or otherwise support any suitable wireless communication technology, including for example radio communication or optical communication.

For example, in some aspects the prover p and/or the verifier v may be associated within a network. In some aspects the network may comprise a body area network or a personal area network (e.g., an ultra-wideband network). In some aspects the network may comprise a local area network or a wide area network. A wireless device may support or otherwise use one or more of a variety of wireless communication technologies, protocols, or standards such as, for example, any RFID protocol, Bluetooth, NFC, Zigbee, WiMAX, and Wi-Fi. A wireless device may thus include appropriate components (e.g., air interfaces) to establish and communicate via one or more wireless communication links using the above or other wireless communication technologies.

Therefore, the communication between the prover and the verifier could be a wireless communication between two wireless equipments or devices.

DF-Resistance of DB1, DB2, and DB3

Theorem 11 (DF-resistance)

The DBopt protocols α-resists to distance fraud for

-   -   (DB1 and DB3)

$\alpha = {{Tail}\left( {n,\tau,\frac{1}{q}} \right)}$

which is negligible for

${\frac{\tau}{n} > {\frac{1}{q} + {cte}}};$

-   -   (DB2)

$\alpha = {{Tail}\left( {\frac{n}{2},{\tau - \frac{n}{2}},\frac{1}{2}} \right)}$

which is negligible for

$\frac{\tau}{n} > {\frac{3}{4} + {{cte}.}}$

Due to Th. 7, DB1 and DB3 are optimal for DF-resistance. DB2 is clearly not optimal (as DB3 is better with the same q=2). However, the bound is tight for DB2 as the DF guessing the response matches the α bound: the malicious prover always wins the rounds for which x′=b_(i) (that is: exactly half of the rounds due to the Hamming weight of b) by sending the response in advance and passes with probability

$\alpha = {{{Tail}\left( {\frac{n}{2},{\tau - \frac{n}{2}},\frac{1}{2}} \right)}.}$

Proof.

We consider a distinguished experiment exp(

) with no close-by participant. Due to the distance, the answer r_(i) to

comes from far away. Thanks to Lemma 4, r_(i) is independent from c_(i). Since c_(i) is randomly selected when it is sent, r_(i) is statistically independent from c_(i). For DB1, since x′_(i)≠0 by construction, r_(i) equals a_(i)+c_(i)x′_(i) with probability

$\frac{1}{q}.$

The same goes for DB3. For DB2, thanks to the selection of b, this holds for exactly half of the rounds: those such that x′_(i)+b_(i)≠0. So, the probability to succeed in the experiment is bounded as stated.

Security of DB1, DB2, and DB3

We cannot rely on the PRF assumption alone for DB1 or DB2, since the secret is used as a key of f_(x) and also outside f_(x) in x′. The circular-PRF assumption guarantees the PRF-ness of f, even when we encrypt a function L_(μ)(x) of the key. We new recall and extend the notion, to accommodate DB1 and DB2.

Definition 12 (Circular PRF)

We consider some parameters s, n₁, n₂, and q. Given

∈{0,1}^(s), a function L from {0,1}^(s) to GF(q)^(n) ¹ , and a function F from {0,1}* to GF(q)^(n) ² , we define an oracle

by

(y,L,A,B)=A·L(

)+B·F(y), using the dot product over GF(q). We assume that L is taken from a set of functions with polynomially bounded representation. Let (f_(x))_(x∈{0,1}) _(s) be a family of functions from {0,1}* to {0,1}^(n) ² . We say that the family f is a (∈,T)-circular-PRF if for any distinguisher limited to a complexity T, the advantage for distinguishing ο_(x,f) _(x) , x∈_(υ){0,1}^(s), from ο

_(,F),

∈_(υ){0,1}^(s), where F is uniformly distributed, is bounded by ∈. We require two conditions on the list of queries:

-   -   for any pair of queries (y,L,A,B) and (y′,L′,A′,B′), if y=y′,         then L=L′;     -   for any y∈{0,1}), if (y,L,A_(i),B_(i)), i=1, . . . , l is the         list of queries using this value y, then

${\forall\lambda_{1}},\ldots \mspace{14mu},{{\lambda_{} \in {{{GF}(q)}{\sum\limits_{i = 1}^{}\; {\lambda_{i}B_{i}}}}} = {\left. 0\Rightarrow{\sum\limits_{i = 1}^{}\; {\lambda_{i}A_{i}}} \right. = 0}}$

-   -   over the GF(q)-vector space GF(q)^(n) ² and GF(q)^(n) ¹ .

Theorem 13 (Security)

The DBopt protocols are β-seq for

-   -   (DB1 and DB2)

$\beta = {{{Tail}\left( {n,\tau,\frac{1}{q}} \right)} + {\frac{r^{2}}{2}2^{- _{nonce}}} + {\left( {r + 1} \right)ɛ} + {r\; 2^{- _{tag}}}}$

when f is a (∈,T)-circular-PRF (as defined by Def. 12]);

-   -   (DB3)

$\beta = {{{Tail}\left( {n,\tau,\frac{1}{q}} \right)} + {\frac{r^{2}}{2}2^{- _{nonce}}} + ɛ + 2^{- _{tag}}}$

when f is a (∈,T)-PRF.

There, r is the number of honest instances (of P or V) and T is a complexity bound on the experiment. β is negligible for

${\frac{\tau}{n} > {\frac{1}{q} + {cte}}},$

r and T polynomially bounded, and ∈ negligible.

Based on that

${\frac{r^{2}}{2}2^{- _{nonce}}} + {\left( {r + 1} \right)ɛ} + {r\; 2^{- _{tag}}}$

(or the similar term for DB3) can be made negligible against β, DB1, DB2, and DB3 are optimal for security due to Theorem 9.

Proof.

We consider a distinguished experiment exp(ν) with no close-by P(x), no P*(x), and where ν accepts with probability p. We consider a game Γ₀ in which we simulate the execution of exp(ν) and succeed if and only if Out_(V) by ν is an acceptance message. Γ₀ succeeds with probability p.

First of all, we reduce to the same game Γ₁ whose success additionally requires that for every (N_(P),N_(V),L_(μ)) triplet, there is no more than one instance P(x) and one instance V(x) using this triplet. Since P(x) is honest and selecting the l_(nonce)-bit nonce N_(P) at random and the same for V(x) selecting N_(V), by looking at the up to r²/2 pairs of P(x)'s or of V(x)'s and the probability that one selection of a nonce repeats, this new game succeeds with probability at least

$p - {\frac{r^{2}}{2}{2^{- _{nonce}}.}}$

Then, for DB1 and DB2, we outsource the computation of every a_(i)+cx′_(i) to the oracle

_(x,f) _(x) (y,L _(μ) ,A,B)=(A·L _(μ)(x))+(B·f _(x)(y))

as in Def. 12, with y=(N_(P),N_(V),L_(μ),b), A·L_(μ)(x)=c(L_(μ)(x))_(i), and B·f_(x)(y)=(f_(x)(y))_(i). I.e., A_(i)=ce_(i) and B_(i)=e_(i), where e_(i) is the vector having a 1 on its ith component and 0 elsewhere. This can be used with c=c′_(i) by P(x) (for computing r′_(i)) or with c=c_(i) by V(x) (for verifying r_(i)). Similarly, the computation (by P(x) or V(x)) of tag=f_(x)(y) can be made by several calls of form

_(x,f) _(x) (y,L_(μ),0,B). (We note that the y in this case has incompatible form with the y in the r_(i) computation.) So, every computation requiring x is outsourced. Note that queries to the same y must use the same L_(μ) since this is part of y. So, the first condition in Def. 12 to apply the circular-PRF assumption is satisfied. We consider the event E that there exists in the game some sequence (y,L_(μ),A_(j),B_(j)) of queries to

_(x,f) _(x) sharing the same (y,L_(μ)) and some λ_(j)'s such that Σ_(j)λ_(j)B_(j)=0 and Σ_(j)λ_(j)A_(j)=0. We need to restrict to the event

E to apply Definition 12. We consider the event E′ that one instance in V receives a valid tag which was not computed by the prover P (i.e., it was forged).

Let c″_(i) be the value received by V(x) in the verification phase. We assume that V checks that tag is correct, timer_(i) is correct, and c_(i)=c″_(i), then queries

_(x,f) _(x) (y,L_(μ),c_(i),e_(i),e_(i)) only if these are correct. If E happens for some (y,L_(μ)), due to the property of Γ₁, each i has at most two queries. Since B_(j)=e_(i) _(j) , Σ_(j)λ_(j)B_(j)=0 yields pairs of values j and j′ such that i_(j)=i_(j′)=i, A_(j)=c_(i)e_(i), A_(j′)=c′_(i)e_(i), B_(j)=B_(j′)=e_(i), and λ_(j)+A_(j′)=0. The event E implies that there exists one such pair such that λ_(j)A_(j)+λ_(j′)A_(j′)=0. So, c_(i)≠c′_(i). But since V only queries if c″_(i) and tag are correct, we have c_(i)=c″_(i)*c′_(i) and tag correct. So, ν must have accepted some tag which was not computed by P(x). So, E implies E′. We now show that Pr[E′] is negligible.

We define Γ₂, the variant of Γ₁, which in turn requires that E′ does not occur as an extra condition for success. We let E′_(j) be the event that tag_(j), the jth value tag received by any V(x) in V is forged. Let Γ_(1,j) be the hybrid of Γ₁ stopping right after tag_(j) is received and succeeding if E′_(j) occurs but not E′₁, . . . ,E′_(j-1).

Clearly, since E′∪ . . . ∪E′_(j-1) does not occur and we stop right after reception of tag_(j), E cannot occur. (Remember that for E to occur for the first time upon a query to

_(x,f) _(x) , there must be a prior tag which was forged.) So, the conditions to apply the circular-PRF security reduction in Def. 12 is satisfied in Γ_(1,j). We apply the circular-PRF assumption and replace

_(x,f) _(x) , by

_(,F), loosing some probability ∈. We obtain a game Γ_(2,j). Clearly, Γ_(2,j) succeeds with probability bounded by 2^(−l) ^(tag) because F is random. So, Pr_(Γ) _(1,j) [success]≦∈+2^(−l) ^(tag) in Γ_(i,j).

So, Pr[E′] is bounded by the sum of all Pr_(Γ) _(1,j) [success], i.e. Pr_(Γ) _(1,j) [E′]≦r∈+r2^(−l) ^(tag) since the number of hybrids is bounded by r. Hence,

${\Pr_{r_{3}}\lbrack{success}\rbrack} \geq {p - {\frac{r^{2}}{2}2^{- _{nonce}}} - {\left( {r + 1} \right)ɛ} - {r\; {2^{- _{tag}}.}}}$

Now, in the whole game Γ₂ where E′ does not occur, we replace

_(x,f) _(x) by

_(,F) and obtain the simplified game Γ₃. We have

${\Pr_{r_{3}}\lbrack{success}\rbrack} \geq {p - {\frac{r^{2}}{2}2^{- _{nonce}}} - {\left( {r + 1} \right)ɛ} - {r\; {2^{- _{tag}}.}}}$

It is now possible to analyze the protocol r₃. Thanks to Lemma 4, the response is computed based on information from P(x) (w in Lemma 4) which is independent (in the sense of Lemma 4) from the challenge. Either P(x) was queried with a challenge before, but this could only match the correct one with probability

$\frac{1}{q}$

and the adversary would fail with tag otherwise. Or, P(x) leaked nothing about the response to this challenge, and the answer by the adversary can only be correct with probability

$\frac{1}{q}$

In any case, his answer is correct with probability

$\frac{1}{q}$

So, Γ₃ succeeds with probability up to

${{Tail}\left( {n,\tau,\frac{1}{q}} \right)}.$

To sum up, we have

$p \leq {{{Tail}\left( {n,\tau,\frac{1}{q}} \right)} + {\frac{r^{2}}{2}2^{- _{nonce}}} + {\left( {r + 1} \right)ɛ} + {r\; 2^{- _{tag}}}}$

for DB1 and DB2.

For DB3, we loose

$\frac{r^{2}}{2}2^{- _{nonce}}$

from Γ₀ to Γ₁. In Γ₁, we apply the full PRF reduction and loose ∈ to obtain Γ₂ with a random function. We loose 2^(−l) _(tag) more to assume that tag received by νwas not forged in some Γ₃. Then, it is easy to see that either the prover was queried before c_(i) was known, but this will only succeed if c_(i) was correctly guessed, or it was queries after, but this will only succeed if the answer r_(i) was correctly guessed. So, Γ₃ succeeds with a probability bounded by

${{Tail}\left( {n,\tau,\frac{1}{q}} \right)}.$

(Note that DB3 is insecure without the authenticating tag: the man-in-the-middle can just run the DB phase with the prover, deduce a, then answer all challenges from the verifier.)

Soundness of DB1 and DB2

Theorem 14 (Soundness of DB1)

The DB1 scheme is (γ,γ′,s+2)-sound for any

$\gamma \geq {\frac{q}{q - 1}p_{B}}$

and γ′ such that γ′=(1−γ⁻¹p_(B))₂, where p_(B)=max_(a+b≦n)p_(B)(a,b) and

${p_{B}\left( {a,b} \right)} = {\sum\limits_{{u + v} \geq {\tau \cdot a}}\; {\begin{pmatrix} {n - a - b} \\ u \end{pmatrix}\begin{pmatrix} b \\ v \end{pmatrix}\left( {1 - \frac{1}{q}} \right)^{b + u - v}\left( \frac{1}{q} \right)^{n - a - b - u + v}}}$

More precisely, any collusin fraud with a success probability

$\gamma \geq \frac{p_{B}}{1 - \frac{1}{q} - ɛ}$

leaks one random (ρ,μ·x) pair with probability at least

$\frac{1}{q} + {ɛ.}$

Assuming p_(B)=p_(B)(0,0), this compares γ

$\frac{q}{q - 1}{{{Tail}\left( {n,\tau,\frac{q - 1}{q}} \right)}.}$

For instance, for γ=sp_(B) and

${\frac{\tau}{n} > {\frac{q}{q - 1} + {cte}}},$

γ is negligible and γ′ is greater than a constant.

If we applied the same proof as for SKI from [30, Th. 14], we would not get such a good result. We would rather obtain

${{Tail}\left( {\frac{n}{2},{\tau - \frac{n}{2}},\frac{q - 1}{q}} \right)}.$

So, our proof of Th-14 is substantially improved.

Proof.

We consider a distinguished experiment exp(

) where

accepts with probability p≧γ.

The verifier

has computed some a and x′. We apply Lemma 4. We let Resp_(i)(c) be the value of the response r_(i) arriving to when

c_(i) is replaced to c in the simulation. We show below that we can always compute Resp_(i)(c)−Resp_(i)(c′) for any (c,c′) pair from a straightline simulation (i.e., without rewinding). Let View_(i) be the view of close-by participants

until the time before c_(i) arrives, and w_(i) be the extra information (independent from c_(i), in the sense of Lemma 4) arriving from far-away. Due to Lemma 4, we have Resp_(i)(c)=Algo(View_(i),c,w_(i)). So, we can easily compute Resp_(i)(c)−Resp_(i)(c′) without rewinding. The answer by a far-away participant is independent from c_(i), so Resp_(i)(c)−Resp_(i)(c′)=0: we can compute Resp_(i)(c)−Resp_(i)(c′) as well.

We say that c is correct in the ith round if Resp_(i)(c)=a_(i)+cx′_(i). We let C_(i) be the set of correct c's for the ith round. We let S be the set of all i's such that c_(i)∈C_(i). Finally, we let R (resp. R′) be the set of all i's for which #C_(i)=q (resp. #C_(i)≦1). I.e., all c's are correct in the ith round for i∈R and at most one is correct for i∈R′.

By definition, the probability that #S≧τ is p≦γ. We see that

$\frac{{{Resp}_{i}(c)} - {{Resp}_{i}\left( c^{\prime} \right)}}{c - c^{\prime}} = x_{i}^{\prime}$

if i∈R, for any c≠c′. If the left-hand side leads to the same value ξ_(i) for each c≠c′, we say that the round i votes for x′_(i)=ξ_(i). If the (c,c′) pairs do not lead to the same value in GF(q), we say that the round i does not vote. So, we can always compute the vote ξ_(i) from the views of close-by participants. The majority of the available map⁻¹(ξ_(i)) shall decode μ·x.

For DB1, we can prove that if the round i votes for some ξ_(i) such that ξ_(i)≠x′_(i), then we must have i∈R′. Indeed, if round i votes for some ξ_(i) and #C_(i)≧2, it means that there exist two different challenges c and c′ such that the responses Resp_(i)(c) and Resp_(i)(c′) are correct. So, Resp_(i)(c)=a_(i)+cx′_(i) and Resp_(i)(c′)=a_(i)+c′x′_(i). The vote ξ_(i) is

$\frac{{{Resp}_{i}(c)} - {{Resp}_{i}\left( c^{\prime} \right)}}{c - c^{\prime}}$

which is thus equal to x′_(i). So, an incorrect vote cannot have two correct challenges: it must be for i∈R′. The majority of the votes does not give x′_(i) only when #R≦#R′. So, we shall bound Pr[#R≦#R′].

Let I,I′

(1, . . . ,n) such that #I≦#I′ and I∩I′ is empty. Let p_(B)(a,b) be the probability that at least τ rounds succeed, when we know that a rounds succeed with probability 1, b rounds succeed with probability

$\frac{1}{q},$

and the other succeed with probability

$1 - {\frac{1}{q}.}$

We have Pr[#S≧τ,R=I,R′=I′]=Pr[#S≧τ|R=I,R′=I′]Pr[R=I,R′=I′] and Pr[#S≧τ|R=I,R′=I′]≦p_(B)(#I,#I′)≦p_(B) since we have #I correct rounds for sure and it remains to pick u correct challenges (out of at most q−1) among the i∉I∪I′ rounds, and v correct challenges (out of at most 1) among the i∈I′ rounds, for all u and v such that u+v≧τ−#I. By summing over all choices for I and I′, we obtain that Pr[#S≧τ,#R≦#R′]≦p_(B) So, Pr[#R>#R′|#S≧τ]≧−γ⁻¹p_(B). So, when the experiment succeeds, the extracting algorithm gets a random pair (μ,μ·x) with probability at least 1−γ⁻¹p_(B). This is better than just guessing μ·x when

$\gamma > {\frac{q}{q - 1}{p_{B}.}}$

We can do M many such accepting experiments, collect some (μ,μ·x) until we have s vector μspanning GF(q)^(s), and reconstruct x with probability at least γ′=(1−γ⁻¹p_(B))^(s). The probability that m samples in GF(q)^(s) do not generate this space is p_(m)≦q^(s-m) (the number of hyperplane, q^(s)−1 times the probability that the m samples are all in this hyperplane, which is q⁻¹ to the power m). So, the expected M until we generate the space is bounded by s+Σ_(m≧s)q^(s-m)≦s+2. Hence, after at most s+2 iterations on average, we can recover x by solving a linear system. This defines the extractor.

We can also push the extraction further when

${1 - {\gamma^{- 1}p_{B}}} > \frac{1}{q}$

by solving an instance of the Learning Parity with Noise problem (LPN), which would still be feasible by the practical parameters s.

Extraction can also work with a complexity overhead bounded by

(s^(j)) and a probability of at least γ′=Tail(s,s−j,1−γ⁻¹p_(B)), by finding at most J errors by exhaustive search or LPN solving algorithms.

The maximum p_(B)=p_(B)(a,b) is always reached for a=b.

Below, we prove that the result is tight for DB1 using q=3. Whether this it tight for other q is an open question. Whether it is optimal for protocols following the common structure is also open.

DB1's Tightness of the Soundness Proof.

To show that the result is tight for DB1 with q=3, we mount a (non-leaking) terrorist fraud succeeding with probability

$\gamma = {{{Tail}\left( {n,\tau,\frac{q - 1}{q}} \right)}:}$

let the malicious prover give to the adversary the tables for c_(i)

r_(i)+e_(i)(c_(i)) for every round i. For each such i, randomly pick one entry for which e_(i)(c_(i)) is a random nonzero value and let it be 0 for other, two entries. With such tables as a response function, the adversary passes the DB phase with probability γ. (Other phases are done by relaying messages.) Since the verifier accepts with negligible probability γ, the adversary learns as much as if Out_(V) was always set to 0.

For q=3 and each i, based on random a_(i)∈GF(q), x′_(i)∈GF(q)*, and c

e_(i)(c) as distributed above, we can easily see that the distribution of the transmitted table is independent from x′_(i): for x′_(i)=1, the table of c

a_(i)+cx′_(i) defined by a random a_(i) is randomly picked from

$\begin{pmatrix} {0\mspace{14mu} \ldots \mspace{14mu} 0} \\ {1\mspace{14mu} \ldots \mspace{14mu} 1} \\ {2\mspace{14mu} \ldots \mspace{14mu} 2} \end{pmatrix} \cdot \begin{pmatrix} {0\mspace{14mu} \ldots \mspace{14mu} 1} \\ {1\mspace{14mu} \ldots \mspace{14mu} 2} \\ {2\mspace{14mu} \ldots \mspace{14mu} 0} \end{pmatrix} \cdot {\begin{pmatrix} {0\mspace{14mu} \ldots \mspace{14mu} 2} \\ {1\mspace{14mu} \ldots \mspace{14mu} 0} \\ {2\mspace{14mu} \ldots \mspace{14mu} 1} \end{pmatrix}.}$

When adding the random table e_(i)(c), it becomes a uniformly distributed random table among those with an output set of cardinality 2. For x′_(i)=2, the table of a_(i)+cx′_(i) is randomly picked from

$\begin{pmatrix} {0\mspace{14mu} \ldots \mspace{14mu} 0} \\ {1\mspace{14mu} \ldots \mspace{14mu} 2} \\ {2\mspace{14mu} \ldots \mspace{14mu} 1} \end{pmatrix} \cdot \begin{pmatrix} {0\mspace{14mu} \ldots \mspace{14mu} 2} \\ {1\mspace{14mu} \ldots \mspace{14mu} 1} \\ {2\mspace{14mu} \ldots \mspace{14mu} 0} \end{pmatrix} \cdot {\begin{pmatrix} {0\mspace{14mu} \ldots \mspace{14mu} 1} \\ {1\mspace{14mu} \ldots \mspace{14mu} 0} \\ {2\mspace{14mu} \ldots \mspace{14mu} 2} \end{pmatrix}.}$

but adding e_(i)(c) leads to the same distribution as for x′_(i)=1. So, the above attack does not leak and is a valid terrorist fraud. Th. 14 essentially says that there is no valid terrorist fraud with a larger γ. So, the result is tight for DB1 with q=3.

The same proof technique leads to the following result for DB2.

Theorem 15 (thDB2sound)

For

${\frac{\tau}{n} > \frac{3}{4}},$

the DB2 scheme is (γ,γ′,s+2)-sound for any

${\gamma \geq {2\; {{Tail}\left( {\frac{n}{2},{\tau - \frac{n}{2}},\frac{1}{2}} \right)}\mspace{14mu} {and}\mspace{14mu} \gamma^{\prime}}} = {\left( {1 - {\gamma^{- 1}{{Tail}\left( {\frac{n}{2},{\tau - \frac{n}{2}},\frac{1}{2}} \right)}}} \right)^{s}.}$

Again, it is open whether this is optimal for a protocol with binary challenges. The bound is pretty tight for DB2: a malicious adversary could leak the c_(i)

r_(i) tables for a random selection of half of the rounds, and leak the table with one bit flipped for the others. This will not leak x′_(i) and will pass with probability

$\gamma = {{{Tail}\left( {\frac{n}{2},{\tau - \frac{n}{2}},\frac{1}{2}} \right)}.}$

Performance Comparisons

Tests with a noise level of p_(noise)=5% have shown that the DB1, DB2 and DB3 protocols are more resistant than SKI and FO. Moreover, a lower number of rounds is required to attain such security.

We provided the provably secure symmetric protocols DB1, DB2, and DB3 which require fewer rounds than the only two existing, provably secure protocols, SKI and FO. Prior to this, we have revised the formal model for distance-bounding protocols in a way which is closer to (the state of the art of) interactive proofs. We also studied optimality of all provably secure DB protocols, existing and advanced herein.

Implementations

The prover and verifier of the present invention may be incorporated into (e.g., implemented within or performed by) a variety of apparatuses (e.g., devices). For example, one or more aspects taught herein may be incorporated into a phone (e.g., a cellular phone), a computer, a tablet, a personal data assistant (“PDA”), a smart card, a RFID device or transponder, an electronic access key, a dongle, an entertainment device (e.g., a music or video device), a headset (e.g., headphones, an earpiece, etc.), a medical sensing device (e.g., a biometric sensor, a heart rate monitor, a pedometer, an EKG device, etc.), a user I/O device (e.g., a watch, a remote control, a light switch, a keyboard, a mouse, etc.), an environment sensing device (e.g., a tire pressure monitor), a computer, a point-of-sale device, an entertainment device, a hearing aid, a set-top box, or any other suitable device.

Those of skill would further appreciate that any of the various protocols, methods or method steps described or claimed in the present application may be implemented as electronic hardware (e.g., a digital implementation, an analog implementation, or a combination of the two, which may be designed using source coding or some other technique), various forms of program or design code incorporating instructions (which may be referred to herein, for convenience, as “software” or a “software module”), or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

The various illustrative devices and further means described in connection with the aspects disclosed herein may be implemented within or performed by an integrated circuit (“IC”), an access terminal, or an access point. The IC may comprise a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, electrical components, optical components, mechanical components, or any combination thereof designed to perform the functions described herein, and may execute codes or instructions that reside within the IC, outside of the IC, or both. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

Various electronic systems may be used by the verifier v as timer for verifying the delays t_(i) between each challenge c_(i) and the corresponding reply r_(i). In one example, a time of flight measuring system based for example on avalanche diodes may be used.

It is understood that any specific order or hierarchy of steps in any disclosed process is an example of a sample approach. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged while remaining within the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.

The steps of a method or algorithm described in connection with the aspects disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module (e.g., including executable instructions and related data) and other data may reside in a data memory such as RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of computer-readable storage medium known in the art. A sample storage medium may be coupled to a machine such as, for example, a computer/processor (which may be referred to herein, for convenience, as a “processor”) such the processor can read information (e.g., code) from and write information to the storage medium. A sample storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in user equipment. In the alternative, the processor and the storage medium may reside as discrete components in user equipment. Moreover, in some aspects any suitable computer-program product may comprise a computer-readable medium comprising codes (e.g., executable by at least one processor) relating to one or more of the aspects of the disclosure.

The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein. 

1. A method allowing a prover holding a secret key to prove its identity to a verifier and to prove to this verifier that he is within a predetermined distance of this verifier, said method comprising an initialization phase and a distance bounding phase, said initialization phase comprising the following steps: the prover picks a first nonce and communicates this first nonce to the verifier; the verifier picks a first random vector, a leak function, and a second nonce; the verifier uses said leak function to compute a modified secret depending on the leak of said secret; the verifier transmits to said prover said leak function and said second nonce; the prover retrieves said first random vector and said modified secret, wherein said first random vector and said modified secret are used by said prover during said distance bounding phase for computing responses to challenges sent by said verifier to said prover.
 2. The method of claim 1, wherein the verifier computes a computed vector as a function of said first vector, said first nonce, said second nonce, and said leak function; wherein the verifier transmits to said prover said computed vector, said leak function, and said second nonce; and wherein said prover uses said computed vector to retrieve said random vector.
 3. The method of claim 1, further comprising a challenge verification phase after said distance bounding phase, wherein said prover sends to said verifier during said verification phase a parameter (t) that depends on challenges received by said prover during said distance bounding phase, wherein said verifier uses said parameter to determine during said verification phase whether the challenges received by said prover during said distance bounding phase correspond to the challenges sent to said prover.
 4. The method of claim 3, wherein said challenges are non binary.
 5. The method of claim 1, further comprising a step during said initialization phase during which said verifier picks a second random vector with a Hamming weight of n/2, where n is the number of challenges sent during said distance bounding phase, wherein said modified secret is the addition of the leak of said secret and of the second random vector; wherein said verifier transmits said second random vector to said prover.
 6. The method of claim 1, wherein each said challenge is sent at a random time within an interval.
 7. The method of claim 1, wherein said prover is embedded as a wireless smart card.
 8. The method of claim 1, wherein said prover is embedded as a NFC device.
 9. The method of claim 1, wherein said prover is embedded as an electronic access control device.
 10. A method that can be used by a prover holding a secret key to prove its identity to a verifier and that he is within a predetermined distance of this verifier, said method comprising an initialization phase and a distance bounding phase, said initialization phase comprising the following steps: the prover picks a first nonce and communicates this first nonce to the verifier; the prover receives from said verifier a leak function, and a second nonce; the prover determines a first random vector and a modified secret based on the first nonce, on the second nonce, on the leak function, and on the secret key; said prover uses said first random vector and said modified secret during a distance bounding phase for computing responses to challenges received from said verifier.
 11. The method of claim 10, further comprising a challenge verification phase after said distance bounding phase, wherein said prover sends to said verifier during said verification phase a parameter (t) that depends on challenges received by said prover during said distance bounding phase.
 12. A method that can be used by a verifier holding a secret key to verify the identity of a prover and whether this prover is within a predetermined distance of this prover, said method comprising an initialization phase and a distance bounding phase, said initialization phase comprising the following steps: the verifier receives a first nonce transmitted by a prover; the verifier picks a first random vector, a leak function, and a second nonce; the verifier uses said leak function to compute a modified secret depending on the leak of said secret; the verifier transmits to said prover said leak function and said second nonce; the verifier send challenges to said prover; the verifier verifies a response to said challenge received from said prover; the verifier verifies the delay between a challenge and a response to said challenge.
 13. The method of claim 12, wherein the verifier computes a computed vector as a function of said first vector, said first nonce, said second nonce, and said leak function; wherein the verifier transmits to said prover said computed vector, said leak function, and said second nonce.
 14. The method of claim 12, further comprising a challenge verification phase after said distance bounding phase, wherein said receiver receives from said verifier during said verification phase a parameter that depends on challenges received by said prover during said distance bounding phase, wherein said verifier uses said parameter to determine during said verification phase whether the challenges received by said prover during said distance bounding phase correspond to the challenges sent to said prover.
 15. The method of claim 14, wherein said challenges are non binary.
 16. The method of claim 12, further comprising a step during said initialization phase during which said verifier picks a second random vector with a Hamming weight of n/2 where n is the number of challenges sent during said distance bounding phase, wherein said modified secret further depends on said second random vector; wherein said verifier transmits said second random vector to said prover.
 17. The method of claim 12, wherein each said challenge is sent at a random time within an interval.
 18. An electronic device which could be used as prover and comprising: a storage for holding a secret key means for picking a first nonce and for communicating this first nonce to a verifier; means for receiving from said verifier a leak function, and a second nonce; means for retrieving a first random vector and a modified secret based on the first nonce, on the second nonce, on the leak function, and on the secret key; means for receiving from said verifier a sequence of challenges; means for determining responses to said challenges based on said first nonce and on said modified secret.
 19. A device according to claim 18, further comprising means for computing and transmitting to said verifier during a verification phase a parameter (t) that depends on challenges (c′_(i)) received by said prover during said distance bounding phase.
 20. A device according to claim 18, said device being a smart card.
 21. A device according to claim 18, said device being a NFC device.
 22. A device according to claim 18, said device being an electronic access control device.
 23. An electronic device which could be used as verifier and comprising: means for receiving a first nonce from a verifier; means for picking a first random vector, a leak function, and a second nonce; means using said leak function to compute a modified secret depending on the leak of said secret; means for transmitting to said prover said leak function and said second nonce; means for sending challenges to said prover; means for verifying responses to said challenges from said prover; means for verifying a delay between a challenge and a corresponding response received from the prover.
 24. The device of claim 23, further comprising: means using a parameter received from said prover to determine during a verification phase whether the challenges received by said prover during said distance bounding phase correspond to the challenges sent to said prover.
 25. The device of claim 23, wherein said challenges are non binary.
 26. The device of claim 23, further comprising means for picking a second random vector with a Hamming weight of n/2 where n is the number of challenges sent during said distance bounding phase, wherein said modified secret is the addition of the leak of said secret and of the second random vector; wherein said verifier transmits said second random vector to said prover.
 27. The device of claim 23, further comprising means to compute a computed vector as a function of said first vector, said first nonce, said second nonce, and said leak function, and means to transmit to said prover said computed vector, said leak function, and said second nonce.
 28. A system comprising a device that can be used as a prover according to claim
 18. 29. A tangible computer-program product comprising a computer-readable medium comprising codes executable by at least one processing circuit for causing said processing circuit to carry out the method of claim
 10. 30. A tangible computer-program product comprising a computer-readable medium comprising codes executable by at least one processing circuit for causing said processing circuit to carry out the method of claim
 12. 